Articles

Access Control – Privilege Management

As any information security professional will tell you, privileged users are the targets for most hackers, who ultimately want to compromise an account that has the necessary privileges to either cause disruption or access sensitive data. Privileged users, such as network administrators, often have the keys to the kingdom and can grant or revoke accesses at will. As well as controlling accesses, network administrators are able to make configuration changes to infrastructure that, if exploited and used maliciously, could bring a business to its needs. It is therefore imperative to secure these types of accounts from unauthorised access during and after use.

There are a number of controls that can be implemented to reduce the risk from privileged accounts. It is worth considering the security of these throughout their life cycle, this includes securing the process for issuing privileged accounts, restricting access to those accounts when in use and reviewing privileged accounts regularly to ensure that there are no legacy accounts in use. Failure to implement sufficient controls at any stage of this life cycle could represent a signficant risk to the organisation, so let’s look at each in detail.

Issuing Privileged Accounts

Segregation of duties is critical at this stage. In order to issue a privileged account, there should be an effective process in place that utilises multiple individuals before an account is issued. For example, one singular network administrator should not be capable of issuing an account with increased privileges without sign off from other management and this process being monitored/signed-off. To ensure this process is followed, the organisation may wish to set up monitoring systems that alert when a new privileged account has been created. If these account creations don’t cross-reference with an approved process then this could be an indication of a compromised account issuing other accounts as part of an attack.

Monitoring of Privileged Account Actions

Monitoring controls should be configured to monitor privileged user account actions, even more so that regular users. While privileged user accounts should be subject to the same policy requirements as other users, there should be increased monitoring around the actions of these accounts as they can often be used to cause damage to the organisation.

Personal Use

Privileged users should have separate user accounts for performing administration tasks and for personal use. Using the same account represents significant risks as if the user account is compromised the attacker will likely inherit the privileges of that user. Technical staff should be trained that privileged accounts should only be used to conduct administrative tasks and that any other web browsing should take place from a separate account. This provides an extra layer of defence to the organisation.

Reviewing Privileged Accounts

This is a fundamental control that often gets overlooked. Ensuring that privileged accounts are disabled following a staff leaver or mover is imperative. In an example case, an organisation that fired a network administrator for misuse and subsequently did not revoke their account had later found that user was able to log in remotely at a later date. In this case, there should be efficient processes to ensure accounts are disabled and privileges revoked (this includes both accounts and physical devices, tokens, passes and keys). Access should be prevented in all cases. To ensure that these processes are sufficient, the organisation may wish to review account privileges on a periodic basis, for example via an AD dump.

Conclusion

It is evident that there is a significant risk from privileged users on a day to day basis. When implementing controls, it may be worth while considering the account as a life cycle and ensuring that there is a control at each stage.